Discover and read the best of Twitter Threads about #OBTS
Most recents (8)
RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) ๐๐โ ๏ธ
One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"
...let's dive in! 1/n ๐งต
One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"
...let's dive in! 1/n ๐งต
We'll start with 3CXDesktopApp-18.12.416.dmg
(SHA 1: 3DC840D32CE86CEBF657B17CEF62814646BA8E98)
It contains a *notarized* app ("3CX Desktop App.app") ...meaning Apple checked it for malware "and none was detected" ๐โ ๏ธ 2/n
(SHA 1: 3DC840D32CE86CEBF657B17CEF62814646BA8E98)
It contains a *notarized* app ("3CX Desktop App.app") ...meaning Apple checked it for malware "and none was detected" ๐โ ๏ธ 2/n
This app is massive - 381mb ๐คฏ
...let's focus on libffmpeg.dylib
found in the App's /Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries directory
(SHA 1: 769383fc65d1386dd141c960c9970114547da0c2)
It was submitted to VT today:
virustotal.com/gui/file/a64faโฆ 3/n
...let's focus on libffmpeg.dylib
found in the App's /Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries directory
(SHA 1: 769383fc65d1386dd141c960c9970114547da0c2)
It was submitted to VT today:
virustotal.com/gui/file/a64faโฆ 3/n
I've just posted slides from my #OBTS v5 talk: "Making oRAT, Go" ๐๐
speakerdeck.com/patrickwardle/โฆ
After creating a custom C&C server, we can uncover the malwareโs full capabilities - simply by asking (tasking) the right questions! ๐คญ
speakerdeck.com/patrickwardle/โฆ
After creating a custom C&C server, we can uncover the malwareโs full capabilities - simply by asking (tasking) the right questions! ๐คญ
1๏ธโฃ First, we must understand how the malware figures out how to find its C&C server - so we can coerce it to talk to our C&C instead!
As this (encrypted) info is embedded within the malware, we can write a simple decryptor/encryptor to (re)configure the malware ๐พ๐โ๐ผ๐ โ ๐ฅโ
As this (encrypted) info is embedded within the malware, we can write a simple decryptor/encryptor to (re)configure the malware ๐พ๐โ๐ผ๐ โ ๐ฅโ
2๏ธโฃ Second, we need to understand its protocol, so we can task the malware to reveal its capabilities.
A brief triage of the malware's binary shows us it sets up a local server and registers various "routes" - taskable via requests from a remote C&C server.
A brief triage of the malware's binary shows us it sets up a local server and registers various "routes" - taskable via requests from a remote C&C server.
Pretty excited for this talk by @patch1t about a one-click macOS takeover, starting out mentioning P0โs iMessage exploit and NSOโs Pegasus spyware. #HITB2022SIN
In his talk, @patch1t also gives a shoutout to @patrickwardle for this 2021 blog post about bypassing macOS's file quarantine, gatekeeper, and notarization requirements. #HITB2022SIN objective-see.org/blog/blog_0x64โฆ
The story of CVE-2021-30657 was one of my favorite talks at #OBTS last year, esp. the way @cedowens, @jbradley89 and @patrickwardle talked through the steps to finding the initial flaw.
"Objective by the Sea" the Mac Security Conference, is back for v5.0!! ๐๐ฅณ #OBTS
๐ Spain (near Barcelona)
๐ง๐ปโ๐ป Trainings: Oct 3rd - 5th
๐ง๐ปโ๐ซ Presentations: Oct 6th - 7th
Submit a talk or register today:
objectivebythesea.org/v5/index.html
...we can't wait to see y'all in sunny Spain! ๐ช๐ธ
๐ Spain (near Barcelona)
๐ง๐ปโ๐ป Trainings: Oct 3rd - 5th
๐ง๐ปโ๐ซ Presentations: Oct 6th - 7th
Submit a talk or register today:
objectivebythesea.org/v5/index.html
...we can't wait to see y'all in sunny Spain! ๐ช๐ธ
#OBTS v5.0 will be held at the lovely Le Mรฉridien Ra Beach Hotel & Spa.
Only ~30 minutes south of Barcelona, the venue is located right on the sunny Mediterranean Sea โ๏ธ๐ด
We've negotiated a discounted group rate, so book thru the conference site: objectivebythesea.org/v5/location.htโฆ
Only ~30 minutes south of Barcelona, the venue is located right on the sunny Mediterranean Sea โ๏ธ๐ด
We've negotiated a discounted group rate, so book thru the conference site: objectivebythesea.org/v5/location.htโฆ
We're also stoked to offer new and expanded (3-day) trainings at #OBTS v5.0:
Training 0x1: "The Art of Mac Malware: Detection & Analysis" by @patrickwardle
Training 0x2: "Arm Reverse Engineering & Exploitation" by @Fox0x01 ๐ฆ
For more info/to sign up:
objectivebythesea.org/v5/trainings.hโฆ
Training 0x1: "The Art of Mac Malware: Detection & Analysis" by @patrickwardle
Training 0x2: "Arm Reverse Engineering & Exploitation" by @Fox0x01 ๐ฆ
For more info/to sign up:
objectivebythesea.org/v5/trainings.hโฆ
Was digging through court records related to Vault 7 and found this tidbit. The FBI used the wifi at Starbucks to download the leak. #OBTS
Day two of training, currently talking about Appleโs native OS X encryption scheme. #OBTS
Here's a 2013 blog post about Apple's native encryption scheme, h/t @patrickwardle. #OBTS cerbero-blog.com/?p=1311
โ ๏ธ Latest macOS 0day (credit: Park Minchan)
...bypasses File Quarantine, Gatekeeper, etc.
Advisory:
๐ "macOS Finder RCE" ssd-disclosure.com/ssd-advisory-mโฆ
๐ Confirmed Big Sur & Monterey are vulnerable
๐งฎ I've posted Park's PoC (pops Calc) if you'd like to play: objective-see.com/downloads/PoCsโฆ
...bypasses File Quarantine, Gatekeeper, etc.
Advisory:
๐ "macOS Finder RCE" ssd-disclosure.com/ssd-advisory-mโฆ
๐ Confirmed Big Sur & Monterey are vulnerable
๐งฎ I've posted Park's PoC (pops Calc) if you'd like to play: objective-see.com/downloads/PoCsโฆ
The PoC once downloaded still has to be manually executed by the user.
macOS should, via File Quarantine/Gatekeeper, alert/warn/block as this is an 'executable' item from the Internet.
Apple attempted to patch (blocking file:// prefix), but File:// or fIle:// still work ๐คฃ๐คฃ๐คฃ
macOS should, via File Quarantine/Gatekeeper, alert/warn/block as this is an 'executable' item from the Internet.
Apple attempted to patch (blocking file:// prefix), but File:// or fIle:// still work ๐คฃ๐คฃ๐คฃ
โน๏ธ The initial patch, will as noted, block items that attempt to abuse the "file://" prefix: (but not "File://" etc.):
[ #OBTS News ]
Objective by the Sea v4.0 (2021):
objectivebythesea.com/v4/
๐จโ๐ซ Training: 09/28 - 09/29
๐ฌ Presentations: 09/30 - 10/01
๐ Location: Maui, Hawaii, USA
Can't wait to see y'all in lovely Maui!! โ๏ธ๐ด
...more details (venue, registration, etc.) soon!
Objective by the Sea v4.0 (2021):
objectivebythesea.com/v4/
๐จโ๐ซ Training: 09/28 - 09/29
๐ฌ Presentations: 09/30 - 10/01
๐ Location: Maui, Hawaii, USA
Can't wait to see y'all in lovely Maui!! โ๏ธ๐ด
...more details (venue, registration, etc.) soon!
#OBTS v4.0 Call For Papers now open!
Themes of interest are ๐-security topics, such as:
โ๏ธ OS internals
๐ฆ Malware analysis
๐ ๏ธ Tool making & breaking
๐ Bug discovery & exploitation
CFP details: objectivebythesea.com/v4/cfp.html
Themes of interest are ๐-security topics, such as:
โ๏ธ OS internals
๐ฆ Malware analysis
๐ ๏ธ Tool making & breaking
๐ Bug discovery & exploitation
CFP details: objectivebythesea.com/v4/cfp.html
We've selected the newly remodeled beachside Westin Resort & Spa, in Ka'anapali Maui to host #OBTS v4.0๐๏ธ ๐
We've also secured a block of rooms at a massively discounted group rate. These will sell out, so don't wait (too long)!
More info / to book: objectivebythesea.com/v4/attending.hโฆ
We've also secured a block of rooms at a massively discounted group rate. These will sell out, so don't wait (too long)!
More info / to book: objectivebythesea.com/v4/attending.hโฆ
